5f9a45c781500fd1d49e60ecc9acdcd6d92288da92f6130c2efe33aa6fcb251b

Analysis

max time kernel
115s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2022 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

214KB
MD5

67bf839781690986652387e088653eaf
SHA1

6ddb5bed7a0ec2db6bc35e5240afff230d19ac77
SHA256

5f9a45c781500fd1d49e60ecc9acdcd6d92288da92f6130c2efe33aa6fcb251b
SHA512

57049761fff07ea7ca46057fe6d434ebbdd9b93a384c00b74bf86626b97a2cfd11a4bee8adc6b6b286954ce9a9cf7bcfa96c5c8bc1e675f77dec8dd3f4b71aa9
SSDEEP

6144:MyJE1yd7WHJmcyfjtPWna4DQFu/U3buRKlemZ9DnGAevIhdiFy+:MU/d7WsvBPWa4DQFu/U3buRKlemZ9Dn4

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] 1. Visit https://tox.chat/download.html 2. Download and install qTOX on your PC. 3. Open it, click "New Profile" and create profile. 4. Click "Add friends" button and search our contact - 126E30C4CC9DE90F79D1FA90830FDC2069A2E981ED26B6DC148DA8827FB3D63A1B46CFDEC191 Your personal ID: 7D7-EAE-CD5 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

https://tox.chat/download.html

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EditCheckpoint.tiff	1.exe
File opened for modification	C:\Users\Admin\Pictures\ExitUnprotect.tiff	1.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeEnter.tiff	1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	Process
File opened (read-only)	\??\W:	1.exe
File opened (read-only)	\??\V:	1.exe
File opened (read-only)	\??\L:	1.exe
File opened (read-only)	\??\H:	1.exe
File opened (read-only)	\??\F:	1.exe
File opened (read-only)	\??\Z:	1.exe
File opened (read-only)	\??\U:	1.exe
File opened (read-only)	\??\S:	1.exe
File opened (read-only)	\??\M:	1.exe
File opened (read-only)	\??\J:	1.exe
File opened (read-only)	\??\G:	1.exe
File opened (read-only)	\??\N:	1.exe
File opened (read-only)	\??\I:	1.exe
File opened (read-only)	\??\X:	1.exe
File opened (read-only)	\??\T:	1.exe
File opened (read-only)	\??\R:	1.exe
File opened (read-only)	\??\Q:	1.exe
File opened (read-only)	\??\P:	1.exe
File opened (read-only)	\??\O:	1.exe
File opened (read-only)	\??\E:	1.exe
File opened (read-only)	\??\A:	1.exe
File opened (read-only)	\??\Y:	1.exe
File opened (read-only)	\??\K:	1.exe
File opened (read-only)	\??\B:	1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	geoiptool.com

Drops file in Program Files directory 64 IoCs

Processes:

1.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64.png	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.loplup.7D7-EAE-CD5	1.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-100.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\ui-strings.js.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\close-2.svg.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.scale-100.png	1.exe
File opened for modification	C:\Program Files\ConvertToFind.mpg.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.loplup.7D7-EAE-CD5	1.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreSmallTile.scale-100.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-20_altform-unplated_contrast-black.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.loplup.7D7-EAE-CD5	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf	1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\ui-strings.js	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-150.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeLargeTile.scale-200.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_hiContrast_bow.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\checkmark-2x.png	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_single_filetype.svg.loplup.7D7-EAE-CD5	1.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-24.png	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-100.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ui-strings.js.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons2x.png.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.loplup.7D7-EAE-CD5	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-lightunplated.png	1.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircleHover.png	1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-hover.svg.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.loplup.7D7-EAE-CD5	1.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\core.jar	1.exe

Drops file in Windows directory 1 IoCs

Processes:

1.exe

description	ioc	Process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
3748	powershell.exe
3748	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: 36	2536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2536	WMIC.exe
Token: SeSecurityPrivilege	2536	WMIC.exe
Token: SeTakeOwnershipPrivilege	2536	WMIC.exe
Token: SeLoadDriverPrivilege	2536	WMIC.exe
Token: SeSystemProfilePrivilege	2536	WMIC.exe
Token: SeSystemtimePrivilege	2536	WMIC.exe
Token: SeProfSingleProcessPrivilege	2536	WMIC.exe
Token: SeIncBasePriorityPrivilege	2536	WMIC.exe
Token: SeCreatePagefilePrivilege	2536	WMIC.exe
Token: SeBackupPrivilege	2536	WMIC.exe
Token: SeRestorePrivilege	2536	WMIC.exe
Token: SeShutdownPrivilege	2536	WMIC.exe
Token: SeDebugPrivilege	2536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2536	WMIC.exe
Token: SeRemoteShutdownPrivilege	2536	WMIC.exe
Token: SeUndockPrivilege	2536	WMIC.exe
Token: SeManageVolumePrivilege	2536	WMIC.exe
Token: 33	2536	WMIC.exe
Token: 34	2536	WMIC.exe
Token: 35	2536	WMIC.exe
Token: 36	2536	WMIC.exe
Token: SeBackupPrivilege	4392	vssvc.exe
Token: SeRestorePrivilege	4392	vssvc.exe
Token: SeAuditPrivilege	4392	vssvc.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeIncreaseQuotaPrivilege	2968	WMIC.exe
Token: SeSecurityPrivilege	2968	WMIC.exe
Token: SeTakeOwnershipPrivilege	2968	WMIC.exe
Token: SeLoadDriverPrivilege	2968	WMIC.exe
Token: SeSystemProfilePrivilege	2968	WMIC.exe
Token: SeSystemtimePrivilege	2968	WMIC.exe
Token: SeProfSingleProcessPrivilege	2968	WMIC.exe
Token: SeIncBasePriorityPrivilege	2968	WMIC.exe
Token: SeCreatePagefilePrivilege	2968	WMIC.exe
Token: SeBackupPrivilege	2968	WMIC.exe
Token: SeRestorePrivilege	2968	WMIC.exe
Token: SeShutdownPrivilege	2968	WMIC.exe
Token: SeDebugPrivilege	2968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2968	WMIC.exe
Token: SeRemoteShutdownPrivilege	2968	WMIC.exe
Token: SeUndockPrivilege	2968	WMIC.exe
Token: SeManageVolumePrivilege	2968	WMIC.exe
Token: 33	2968	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

1.execmd.execmd.exe

description	pid	Process	procid_target
PID 4420 wrote to memory of 5008	4420	1.exe	85
PID 4420 wrote to memory of 5008	4420	1.exe	85
PID 4420 wrote to memory of 5008	4420	1.exe	85
PID 4420 wrote to memory of 2360	4420	1.exe	86
PID 4420 wrote to memory of 2360	4420	1.exe	86
PID 4420 wrote to memory of 2360	4420	1.exe	86
PID 4420 wrote to memory of 3780	4420	1.exe	87
PID 4420 wrote to memory of 3780	4420	1.exe	87
PID 4420 wrote to memory of 3780	4420	1.exe	87
PID 4420 wrote to memory of 4516	4420	1.exe	90
PID 4420 wrote to memory of 4516	4420	1.exe	90
PID 4420 wrote to memory of 4516	4420	1.exe	90
PID 4420 wrote to memory of 2824	4420	1.exe	92
PID 4420 wrote to memory of 2824	4420	1.exe	92
PID 4420 wrote to memory of 2824	4420	1.exe	92
PID 4420 wrote to memory of 1192	4420	1.exe	94
PID 4420 wrote to memory of 1192	4420	1.exe	94
PID 4420 wrote to memory of 1192	4420	1.exe	94
PID 4420 wrote to memory of 368	4420	1.exe	96
PID 4420 wrote to memory of 368	4420	1.exe	96
PID 4420 wrote to memory of 368	4420	1.exe	96
PID 5008 wrote to memory of 2536	5008	cmd.exe	98
PID 5008 wrote to memory of 2536	5008	cmd.exe	98
PID 5008 wrote to memory of 2536	5008	cmd.exe	98
PID 1192 wrote to memory of 3748	1192	cmd.exe	99
PID 1192 wrote to memory of 3748	1192	cmd.exe	99
PID 1192 wrote to memory of 3748	1192	cmd.exe	99
PID 1192 wrote to memory of 2968	1192	cmd.exe	102
PID 1192 wrote to memory of 2968	1192	cmd.exe	102
PID 1192 wrote to memory of 2968	1192	cmd.exe	102
PID 4420 wrote to memory of 4492	4420	1.exe	104
PID 4420 wrote to memory of 4492	4420	1.exe	104
PID 4420 wrote to memory of 4492	4420	1.exe	104
PID 4420 wrote to memory of 4492	4420	1.exe	104
PID 4420 wrote to memory of 4492	4420	1.exe	104
PID 4420 wrote to memory of 4492	4420	1.exe	104

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3780
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
  2⤵
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
  2⤵
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy ByPass -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe" -agent 0
  2⤵
  - Modifies extensions of user files
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:368
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:4492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat

Filesize
262B

MD5
e6545ccb3660f88529716ed4e647c713

SHA1
ecd628f29985599a24c5c1d23083c689917dd74e

SHA256
e802bf0c4481bef693d4d1f307aba48301e330d3728dd46a4ec97c4a96b4d4a7

SHA512
f745e7d5dd006083234e783dd5dc7fb83043a7d0479ea2a91a2ddbc8c20ca47343516efbd155271768c675a22b32e88febdfe51551ec42dfdb64805c62c3188d

Download Submit
C:\Users\Admin\Desktop\ClearMeasure.xlt.loplup.7D7-EAE-CD5

Filesize
232KB

MD5
e2d18f772b283f9d8bc4b058c780a351

SHA1
b3cfe432f12f98ad4ba49dfe85a012ba585089c5

SHA256
7b305beb774aac72d40868c42ea6580569bf237319b69d2987f83cc6a74b1ee0

SHA512
d4fb030b41331677055eab7b4acdcec0acd19618cec7b41efc8b1806781beb75690af5fd432d32429d6675a9cb7e3099f0c8eb46af2c385375a35d27f67a0279

Download Submit
C:\Users\Admin\Desktop\CloseEdit.docm.loplup.7D7-EAE-CD5

Filesize
152KB

MD5
5d611eac49e64695227b1dec67970cee

SHA1
b50febbf4301d99c4e01d2b674e5881a5ab34ada

SHA256
0a4531b3862e831da75bce24b0a9aa8acdaa21c8c27920b118a47fce05d40d7d

SHA512
242a56ea02527a5cac699fade2b1cbfe4b882a3e02a2864ab493957332110533015a77a4310bb60499557155f17c9e6eb170d2acf2c7e4a51ab58841713db2e8

Download Submit
C:\Users\Admin\Desktop\ConvertFromBackup.xml.loplup.7D7-EAE-CD5

Filesize
108KB

MD5
7357be8e4909d256fc183975e1ed8b23

SHA1
316feb2bedd3b8ebcb14f80ce812f91a6dd7ef2a

SHA256
aebb60a33500576fc5e02dc260178bbce4a9de27e2ad5c98cc86570389f18d1b

SHA512
7475328da1019a1eefed6aa31fa97902cdb4850eba9c7992ad331724624c52b4aa478e25e01ed6c5dae8bb73830bdae62d97faa700e43d39205338ba0306a811

Download Submit
C:\Users\Admin\Desktop\DismountPublish.search-ms.loplup.7D7-EAE-CD5

Filesize
259KB

MD5
84f0f504a0e485d41edac5a0e8c6255b

SHA1
134bad6f9317b6fd3dcd3ea817a389d48f6c4f4a

SHA256
dd0e27c953ad008a2bfc756563ce223bd324893c1b148227936eccdfe69c73a9

SHA512
8322da4994d7d9963340b3deef72282d3259656c219720ca349b838fe03d39f838ec970685a6648cab02911416e8a978dbe1deb497fc62308557b2d86cc05471

Download Submit
C:\Users\Admin\Desktop\EditRevoke.mhtml.loplup.7D7-EAE-CD5

Filesize
250KB

MD5
62f962fa56eb7907f38860b60fc559f1

SHA1
71e26744040d80cf42efb4cdbd1f62a956de88f5

SHA256
04562a4ec69678f7ec7b25d479d109bc856d4c8e1056e217d572bfdabe58a296

SHA512
83c422db15240a9dba75d10a64e56f2c5b5500dc05003e250b8e48789f127f1c28947de0a4d4d8d1b7992334436301472ff01260a7c2a40a37ae9a8f6528feb3

Download Submit
C:\Users\Admin\Desktop\HideInstall.wmv.loplup.7D7-EAE-CD5

Filesize
268KB

MD5
c271ffdeb0b8faabe1e42f625d0105bb

SHA1
cc2cea7033594476c7bac6309e92c237d0dddc6d

SHA256
cf812a4eeb1d3666a501d63b27e60a2075ef4ed511d907f96b9771676c72b7cc

SHA512
f2c78beaa1854245b89031b5d7b78ed5f99abf6f0d2e4cbf1aa544576c7b4f6eb4ab1a5464cead10f6994b80c85d8c704af32a406aa765a5b6bd6f539eaa9c61

Download Submit
C:\Users\Admin\Desktop\HideStop.tiff.loplup.7D7-EAE-CD5

Filesize
143KB

MD5
b8939f4b6acc39c8a4cb2224ad693174

SHA1
156eda82544bad00af4351a0580927fd3d58f699

SHA256
46e496df4d5e99e6ea0f2f25c062fbfdc30aabc0122db09d1999acfe1fc9ebfe

SHA512
f1ad9bf6fc55e2ae189713e1f80cda85436b6ebca07714e903623d403943c82e5c3c93c715eac1de7cfa3fc0ce47e0737631952c11958fda1bf16b0e1389caaa

Download Submit
C:\Users\Admin\Desktop\InvokeResume.au.loplup.7D7-EAE-CD5

Filesize
161KB

MD5
722cbba58a0be87ada45f2ca9b42c483

SHA1
88d71789ff0415ff00554fbc5a187ed702eeb064

SHA256
0c0dcd342f771968ea79f1f131a8fd7363ca97ee11152306ae567bd7cab8b74d

SHA512
db2baf189582fad2c40d134d9801650d673a6719d7efc9712a44bab774290bb2509042839bfd083d88f4a39ac0535a35422eaae4b691b431f5587009c11cbed1

Download Submit
C:\Users\Admin\Desktop\JoinPublish.bmp.loplup.7D7-EAE-CD5

Filesize
206KB

MD5
fc967a320f419161d1125c734e0729ce

SHA1
940fa35f69f8e74d93f187228e83c1809abbbf59

SHA256
1d6f9753002f2278853a90ea0f2f3a2d7a29d8928d4793553ccf738ff7aaa658

SHA512
c1d84397cb1457c1d8232fdd4ae72531840e11927749a2a3110406b2073f29297f7ce89b707083d7101340894409ac890c8797aa6b9147e5359f9b4c5eef2a2e

Download Submit
C:\Users\Admin\Desktop\OptimizeSwitch.ico.loplup.7D7-EAE-CD5

Filesize
214KB

MD5
fbe145b3873ca2850d55ddb78fc886cc

SHA1
dfe2e0af5777d08b0d15f3aa493424dc4b54620e

SHA256
5bd519ab210a365008ecfa5984a91747847a1ed896568819286a808fc60a7cbb

SHA512
0780da5eb7b2dc31a65b836d902397e64a35c759be561c0041a5beddebe3d8488f3eecff50add072a21b24d08e2aafe4a382d728224b0e04c40ecc136c525078

Download Submit
C:\Users\Admin\Desktop\PushGrant.wvx.loplup.7D7-EAE-CD5

Filesize
188KB

MD5
ded72b640e9860650d6a57676e490b68

SHA1
9beaafc04b9ee9eea184d8b5fe191f150194b077

SHA256
3c9e087b0a1964eb1f465e29dca708fb21d837f03ca687657345477cea3eaaa4

SHA512
cf6dbcfc3194e45b4419d923ad3550ffeaa1aa91d3ceef7c999816ed9dd686a61d3ae4d0153c1c67ed230d10debd26360415bfc4b9d5b378356563505e739072

Download Submit
C:\Users\Admin\Desktop\ReadClose.edrwx.loplup.7D7-EAE-CD5

Filesize
126KB

MD5
095d71b8b9baed67b0ad0e7c4b333b12

SHA1
40fb1170c9d6721b06630af8112b852ed391a673

SHA256
6632818d77c6d8be2426d2a07d557618d31a305d7492c5493cbdcdc2546aedb9

SHA512
b6d4f47fb176686ee6d4d3c2e8283bb92cd84486055913b8e189b525d09a81c6897001b7222242ad22f0dd5038e7694b32a8894a9cc0b6f0bdb2e9a7a2da42b9

Download Submit
C:\Users\Admin\Desktop\RenameResolve.3g2.loplup.7D7-EAE-CD5

Filesize
419KB

MD5
f670805c4f7f6955129bf854de0ed152

SHA1
89f853d9254932fc208d842056e4a03d19d37f21

SHA256
f5d4aba33eb6432c98a7322861a2d86a39e8b5cc3107026d49e9e95d54813c86

SHA512
df003330e85c0bfb70586948a2aba67a9fab2d75c61d2cb326b6efc034ceba75f6f9abe047a8391de861df82491939e9c14397f9fa5993c2bd23744564e9b145

Download Submit
C:\Users\Admin\Desktop\ResolveExit.rar.loplup.7D7-EAE-CD5

Filesize
241KB

MD5
ff3812e5b8735e5772ba85b96f2c0f24

SHA1
9e95ad782b57b3f7c3b0aac04dd31ca08c94bab3

SHA256
81c66cda2c349d56be211746029c28f69b97d3dd7e2e3b4155126c977ab7951d

SHA512
54b1d5094a261e2b765cd94f95b6ae166b31dd3d1de47d090aef1412d697bda0cbbf11301cfb048bf07141258d49a420fd0f1fb756d291a381372428a90e0b75

Download Submit
C:\Users\Admin\Desktop\SearchExpand.doc.loplup.7D7-EAE-CD5

Filesize
294KB

MD5
2de76286db3d8fdd1b26b42f15bdc181

SHA1
4b10f13c37ba371b4f5981c58825e65d49d7d061

SHA256
1a580be1934a4298379683f5ec42ce60b96d38ace61a9e7ff1b5a2e1c9f841ab

SHA512
6b12cb58e7f47ea7d2d83fc7ea4294cc83e4c460ff7832d6c673f864fb255ca5a5e1db0e95fa2d791b3c492bd70afdd12195d26da9020177197e896b6cd03735

Download Submit
C:\Users\Admin\Desktop\SetBackup.mpeg.loplup.7D7-EAE-CD5

Filesize
277KB

MD5
7e6186832b5c262bc9ece961cb4f747e

SHA1
277f68644b31bedf6bf40588c880a1979630ba49

SHA256
5c5e5fe71ef468a290e4bb8e23241aa9a3f3f39e8a77d9bd9948920133c12c4a

SHA512
6152760976bc2c1fa3e2e09b5c9147b019b87ec4005a2c08778fba0dd5a424416d26c573d981eb91dfccacc61cadbe34e9df7b13e5d4b9be725fd9daf7274233

Download Submit
C:\Users\Admin\Desktop\SubmitWait.M2TS.loplup.7D7-EAE-CD5

Filesize
197KB

MD5
282ed9ca923542a22099f08c0ba965cd

SHA1
19c7c0aa2d9292e9494350167d8ce41fb231a364

SHA256
246400a056f7943f182e0fa27900b3e4aeb841e6c28771237bf90917f1d24b1f

SHA512
7a4044579e0bfe874d8e2a8cec592df520839068bd87464fbfd3405eefa31ad7aa415009adb837515fe6209fbe68552b902597cf35c32a71a56434bb037cb32e

Download Submit
C:\Users\Admin\Desktop\UndoInstall.ocx.loplup.7D7-EAE-CD5

Filesize
117KB

MD5
42078dbdbf90ca9d7a217e9d497040e6

SHA1
226d1621d920fef78ed67845ceea8664aadb2c88

SHA256
cadf3e07c4ad740d85013874a81f05a99821a63722ba608f699acb483c6559b3

SHA512
547c1299973bb2d653f7470fccb1d1ec302767a8751743f401f1308a563c98a5649707b2439e4857948d10abf3b8f00d3fab46835f721d4db88d77e408649564

Download Submit
C:\Users\Admin\Desktop\UninstallUnprotect.htm.loplup.7D7-EAE-CD5

Filesize
303KB

MD5
3919970d7b61796ebd28fad50183e0c0

SHA1
56f4ca48e44af8442fa39f064dd65ef246d455c2

SHA256
c4b96f23aa6c914c0133cb9ce4cf378424b9a6b038f01fcee0262e667655e5fc

SHA512
747d91dfa1fa4ad5d2d6d27fb80b22b6b5f3fa9ca6e8630b1057ffaec3879223f211bf320dbc2790c46c7c7ce14d862c8105fe07703a44f21b2dce0a2ea0eef8

Download Submit
C:\Users\Admin\Desktop\UnlockFormat.MTS.loplup.7D7-EAE-CD5

Filesize
134KB

MD5
efc3291bd05458f34f53788bb58aa525

SHA1
4dc1d1e6bfcbc3dde1fdf47df72673f47c3804bc

SHA256
9f078f9232c5e908029c42059ea4e20cfd79d9598abdbd70c89738bac5207226

SHA512
7eee5abe8d12b5c0189b706943f4c0ffe9714999c4b868db4ad145499f723330f5553658b4e63b2bacf8f26d213c5003b91118be54b8b25db62c471f9b61abcb

Download Submit
C:\Users\Admin\Desktop\UnprotectWrite.iso.loplup.7D7-EAE-CD5

Filesize
223KB

MD5
129e0957afa32b9e7a26c552d7a1272d

SHA1
6bafb2714b2d3214b2e15c2479612ed1419f5778

SHA256
037d8b29a2ba6979de331b4769d1f43c33a1b132cf7fe93d86dc35a5b41ed36a

SHA512
ed2da95393ed3fa64be652e99a54f4d0078eef72b5dbc6b61310a87bf37b5c6460768fa2a7772087c409a140646af70ea01dcc4ec82dbaa0cd3171fd8541051d

Download Submit
C:\Users\Admin\Desktop\UnpublishRequest.ocx.loplup.7D7-EAE-CD5

Filesize
179KB

MD5
7f71794f1316d0a467954c4df4e41e7e

SHA1
9528b9f69a29f3e024585e48c9c8f276f9cb0835

SHA256
5c6a1d018d0ff831122bac326e430eb503c04f265290f5f08710885fc4a02ee7

SHA512
71a351c5168062d1c611801ec195e13a0b5db83956329817a3099b338f93d03aaec87750e99114c423ec4d2d84f8575c17118aae96fdcb3f1b857a43e5034df4

Download Submit
C:\Users\Admin\Desktop\UnpublishUnprotect.docx.loplup.7D7-EAE-CD5

Filesize
286KB

MD5
7113b4784acb0e0fd908a5272d214acb

SHA1
4fcad9469cc05ef603a42abd1ebba3cd585af540

SHA256
fadac2cce5ffc1bfe8c89153b0e9dd1266a33b48b2fceb78628ea9ef3dd38dd8

SHA512
645a1635f0607c38bbc9619787925c30d59b7ab2ac621b06164f5c30ff944ac36ec5deef3ae571a019c07210977a2d611ed2c32153910e5bffd581680f005b5e

Download Submit
C:\Users\Admin\Desktop\WriteRead.wmx.loplup.7D7-EAE-CD5

Filesize
170KB

MD5
a01c17631321caef9ba58988eb547030

SHA1
2d1cbd9887a6c6de04018e74ecabb9d7278935d8

SHA256
104ca735bb2ccba1ac5ad2850e79520125a15af033a3b711ff8e30778bea28c9

SHA512
770fa8ead6d9ed600509bc71711064a9e87db779308ee8a85c39cb4356d42e87687f145c55a051e257efa39e77031d67f5fad22e142ceaec3c81a4210dc75ded

Download Submit
memory/368-138-0x0000000000000000-mapping.dmp

Download
memory/1192-137-0x0000000000000000-mapping.dmp

Download
memory/2360-133-0x0000000000000000-mapping.dmp

Download
memory/2536-139-0x0000000000000000-mapping.dmp

Download
memory/2824-136-0x0000000000000000-mapping.dmp

Download
memory/2968-152-0x0000000000000000-mapping.dmp

Download
memory/3748-146-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3748-141-0x0000000000000000-mapping.dmp

Download
memory/3748-151-0x0000000007350000-0x00000000078F4000-memory.dmp

Filesize
5.6MB

Download
memory/3748-145-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/3748-144-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/3748-143-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/3748-142-0x0000000002440000-0x0000000002476000-memory.dmp

Filesize
216KB

Download
memory/3748-150-0x0000000006290000-0x00000000062B2000-memory.dmp

Filesize
136KB

Download
memory/3748-147-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/3748-148-0x0000000006D00000-0x0000000006D96000-memory.dmp

Filesize
600KB

Download
memory/3748-149-0x0000000006230000-0x000000000624A000-memory.dmp

Filesize
104KB

Download
memory/3780-134-0x0000000000000000-mapping.dmp

Download
memory/4492-177-0x0000000000000000-mapping.dmp

Download
memory/4516-135-0x0000000000000000-mapping.dmp

Download
memory/5008-132-0x0000000000000000-mapping.dmp

Download